@jonty you can’t do this on mastodon (via webfinger)...

@jonty you can’t do this on mastodon (via webfinger) because of the specific URI path used (you can’t create an S3 bucket named “.well-known”). You could probably pull it off with other hosts, though.

Validating handles with an HTTP GET instead of a DNS TXT is definitely easier to scale, but fun stuff like this is possible. 😏

Like 4 May 2023 at 1:09 | Wall-to-wall | Open on mck.pub

4 comments

Brad

@carter @jonty Does DNS TXT have the same problem? If you can register a subdomain _atproto.example.com and create a TXT record for it, could you impersonate the parent domain example.com?

4 May 2023 at 3:27 | Open on mastodon.social

Carter

@bk1e sure, but if you have write access to the authoritative DNS records, you already have the keys to the kingdom. Whereas you can convince a hosting provider to serve a file at a given path pretty easily, it’s part of the product.

4 May 2023 at 3:31 | Open on mck.pub

Brad

@carter Dynamic DNS providers allow customers to register hosts on their domains, and some might support TXT records. However, registering a host named _atproto is probably not allowed because the leading underscore makes it an invalid hostname.

4 May 2023 at 3:42 | Open on mastodon.social

Carter

@bk1e not sure why TXT would be supported, but yeah I’m sure some impl out there allows it + doesn’t have that validation in place. Good stuff 😛

4 May 2023 at 3:47 | Open on mck.pub

Go Up